Communication with a Data Storage Device with a Web Application

The present disclosure relates to communication with a data storage device and a host device. In some examples, the disclosure relates to authentication, access control, and configuration of the data storage device.

Encryption of data enables relatively secure storage on data storage devices, such as block data storage devices connectable via a Universal Serial Bus (USB) cable. However, the user experience is often disappointing because the setup of passwords, keys and the like is cumbersome and complicated for technically unskilled users. If encryption is used, the keys and passwords are too often stored insecurely. As a result, many users leave existing encryption technology effectively unused resulting in exposed confidential data.

In some data storage devices, a physical keypad is provided at the data storage device to enter passwords, keys and the like. In other data storage devices, specialized software or drivers for the data storage device needs to be installed on the host device to enable entry of passwords, keys and the like before secure communication with the data storage device and the host device.

There is disclosed a data storage device comprising: a storage medium with at least a secured partition configured to store user data; a communication interface configured to communicate with a host device; and at least one processor. The at least one processor is configured, individually or in combination, to: communicatively couple with the host device, via a first communication channel. The at least one processor is configured to emulate a network adapter to the host device, wherein the first communication channel is enabled by an Ethernet over USB (Universal Serial Bus) protocol driver. The at least one processor is also configured to communicatively couple with the host device, via a second communication channel, wherein the second communication channel enables communication between the storage medium and the host device, and wherein the second communication channel is enabled by a USB mass storage driver. The at least one processor is further configured to receive, via the first communication channel, authentication data from the host device, wherein the authentication data is received from a web application instantiated at a browser of the host device. The at least one processor is configured to: verify that the received authentication data corresponds to a record in an authentication data set; and in response to verifying the received authentication data, selectively enable access between the host device and the secured partition via the second communication channel.

In some examples, of the data storage device, the Ethernet over USB protocol driver is CDC-NCM (Communication Device Class Network Control Model).

In some examples of the data storage device, the storage medium or a further memory is configured to store the web application. The at least one processor is further configured to send to the host device, via the first communication channel, the web application or a representation of the web application.

In further example of the data storage device, the at least one processor is further configured to emulate a server, wherein the server is configured to host the web application.

In some examples of the data storage device, the storage medium further comprises an unsecured partition configured to store the web application, and wherein the data storage device is configured send the web application from the unsecured partition to the host device via the second communication channel. In some examples of the data storage device, the web application stored in the unsecured partition is read-only and/or write protected.

In some examples of the data storage device, the communication interface includes a USB bridge, and wherein the first communication channel and the second communication channel are respective logical pipes through a USB cable between the host device and the data storage device.

In further examples, the data storage device further comprises: a first endpoint set to send and receive data transferred through the first communication channel; and a second endpoint set to send and receive data transferred through the second communication channel.

In some examples the data storage device further comprises a cryptography engine, wherein in response to selective access between the host device and the secured partition. The cryptography engine is configured to: encrypt user data to encrypted data and in response, send the encrypted data to be stored in the secured partition; and decrypt encrypted data stored in the secured partition to user data. The communication interface is configured to receive and send user data between the data storage device and the host device, via the second communication channel.

In some examples of the data storage device, the web application comprises at least one or more of: hypertext markup language (HTML); Cascading Style Sheets (CSS); and JavaScript.

In some examples of the data storage device, the communication interface is configured to transmit and receive data, via the first communication channel, in accordance with Transmission Control Protocol (TCP) and/or User Datagram Protocol (UDP).

There is also disclosed a method for a data storage device to communicate with a host device, the method comprising: communicatively coupling with the host device via a first communication channel, wherein the data storage device emulates a network adapter to the host device. The the first communication channel is enabled by an Ethernet over USB (Universal Serial Bus) protocol driver. The method also includes communicatively coupling with the host device via the second communication channel, wherein the second communication channel enables communication between a storage medium of the data storage device and the host device, and wherein the second communication channel is enabled by a USB mass storage driver. The method also includes receiving, via the first communication channel, authentication data entered into, or via, a web application instantiated at a browser of the host device. The method further includes verifying that the received authentication data corresponds to a record in an authentication data set. In response to verifying the received authentication data, the method includes selectively enabling access between the host device and a secured partition of the storage medium of the data storage device, via the second communication channel.

In some examples of the method, the Ethernet over USB protocol driver uses CDC-NCM (Communication Device Class Network Control Model).

In some examples, in response to receiving a request to access the web application, the method further comprises sending to the host device, via the first communication channel, the web application or a representation of the web application.

In some examples of the method, communicatively coupling with the host device enables access to an unsecured partition of the storage medium of the data storage device. The unsecured partition is configured to store the web application; and the method further comprises: sending the web application from the unsecured partition to the host device, via the second communication channel.

In some example of the method, the web application stored in the unsecured partition of the storage medium of the data storage device is read-only and/or write-protected.

In some examples of the method, the first communication channel and the second communication channel are respective logical pipes through a USB cable between the host device and the data storage device.

In some examples of the method, the secured partition of the storage medium is configured to store encrypted user data, and wherein the method further includes: receiving user data from the host device via the second communication channel and, in response, encrypting, with a cryptography engine, user data to encrypted data; and storing the encrypted user data in the secured partition of the storage medium.

In further examples, the method includes: receiving encrypted user data stored in the secured partition of the storage medium and, in response; decrypting, with the cryptography engine, encrypted user data to user data; and sending user data to the host device via the second communication channel.

In some examples of the method, the web application comprises at least one or more of: hypertext markup language (HTML); Cascading Style Sheets (CSS); and JavaScript.

In some examples of the method, data transmitted via the first communication channel is transmitted in accordance with Transmission Control Protocol (TCP) and/or User Datagram Protocol (UDP).

There is also disclosed a data storage device comprising: means for storing data and means for selectively enabling access between the means for storing data and a host device. The data storage device also comprises means for communicatively coupling with the host device via a first communication channel, wherein the data storage device further comprises means for emulating a network adapter to the host device, wherein the first communication channel is enabled by an Ethernet over USB (Universal Serial Bus) protocol driver. The data storage device also includes means for communicatively coupling with the host device via the second communication channel, wherein the second communication channel enables communication between the means for storing and the host device, and wherein the second communication channel is enabled by a USB mass storage driver. The data storage device also includes means for receiving, via the first communication channel, authentication data entered into, or via, a web application instantiated at a browser of the host device. The data storage device further includes means for verifying that the received authentication data corresponds to a record in an authentication data set. In response to verifying the received authentication data, the means for selectively enabling access is configured to enable access between the host device and the means for storing data, via the second communication channel.

1 2 FIGS.and 1 FIG. 2 FIG. 1 5 1 19 8 3 5 28 5 7 26 1 illustrate an example of a data storage deviceconfigured to be communicatively coupled with a host device.illustrates a simplified schematic of data flow and technology topology, andillustrates a simplified schematic of components of the device. The data storage deviceincludes a storage mediumwith at least a secured partitionthat is configured to store user data. The data storage device also includes a communication interfaceconfigured to communicate with the host device, which in some examples includes a universal serial bus (USB) bridge configured to transmit and receive data via a USB cableto the host device. The data storage device also comprises at least one processorconfigured to execute program code stored within a memoryto issue commands for controlling the operation of the data storage device.

7 100 19 5 110 5 20 9 5 32 32 20 20 3 FIG. a b The at least one processoris configured, individually or in combination to perform steps in a method, as illustrated in, to enable communication of user data between the storage mediumand the host device. This includes communicatively couplingwith the host devicevia a first communication channel, wherein the at least once processor is configured to emulate a network adapterto the host device. The first communication channel is enabled by an Ethernet over USB protocol driver,. Thus from the host device perspective, the first communication channelprovides a connection to a (emulated) network. This first communication channelmay be configured to transmit and receive security commands discussed below.

7 120 5 22 22 19 22 34 34 22 22 a b The at least one processoris also configured to communicatively couplewith the host devicevia a second communication channel, wherein the second communication channelenables communication between the storage mediumand the host device. The second communication channelis enabled by a USB mass storage driver,). Thus from the host device perspective, the second communication channelprovides a connection to a mass storage device. This second communication channelmay be configured to transmit and receive user data.

5 3 Thus in some examples, the host devicecommunicating with the communication interfacehave respective endpoints for two USB devices, namely the (emulated) network adapter and a mass storage device.

1 19 7 140 20 61 5 17 12 5 61 20 The data storage devicemay be configured to enable selective access to the storage medium, such as with verification of authentication data in an unlocking process. This can include the at least one processorreceiving, via the first communication channel, authentication datafrom the host device. The authentication data is be received from a web applicationinstantiated at a browserof the host device. Notably, the authentication data, which may be part of a security command, is transmitted via the first communication channelenabled by the emulated network adapter.

150 61 63 65 5 8 19 22 23 8 19 The at least one processor is configured to verifythat the received authentication datacorresponds to a recordin an authentication data set. In response to verifying the received authentication data, the at least one processor selectively enables access between the host deviceand a secured partitionof the storage mediumvia the second communication channel. In some examples, this can include enabling a cryptography engineto encrypt and decrypt user data stored in the secured partitionof the storage medium.

32 32 5 a b In some examples, the Ethernet over USB protocol driver,, is CDC NCM (Communication Device Class Network Control Model). This can be advantageous in that CDC NCM drivers are provided on a wide variety of operating systems in contemporary host devices. This can include Windows and MacOS for laptop and desktop computers, as well as operating systems of mobile devices including some tablet devices and smartphones.

1 5 5 Therefore examples of the data storage devicecan be used with a host devicewithout requiring special drivers to be installed on the host device.

17 12 5 12 10 12 17 5 1 5 5 5 Furthermore, the web applicationis a web-based application that is instantiated in a web browserof the host device. This can include any web browserthat can run web applications. For example, web applications using hypertext markup language (HTML). Advantageously, many computers and mobile communication devices are configured with a web browserand therefore running a web applicationcan be more convenient than requiring users to install a native application to the host device. Thus the data storage devicecan be used with a wide variety of host devicesand operating systems without having to install specialised drivers or software. This can be particularly useful in environments where technical, communication, security, organizational policy, or other reasons prevent or impede a user of a host devicefrom installing device drivers or software on the host device.

The components of an example of a data storage device will now be described in detail. It is to be appreciated that alternative examples may include more, or less, features.

1 5 1 5 1 5 28 3 37 28 1 The data storage device, in general, is configured to be used with a host deviceto store user data. In some examples, the data storage deviceis a device external to the host deviceand can be configured to be a portable device. In particular, the data storage devicecan be configured for use with the host deviceby connecting a cablebetween respective communication interfaces,. When not in use, the cablecan be disconnected and the data storage devicemay be moved and transported, and in some examples, used with another host device.

1 1 The data storage deviceis configured with security features to control access to user data stored in the data storage device. In some examples, the data storage device is a self-encrypting drive (SED).

3 1 5 5 1 31 5 The communication interfaceenables communication between the data storage deviceand the host device. In this example, one function is to provide a wire-based data port between the host deviceand components of the data storage device. In a preferred example, this includes a USB (universal serial bus) bridgeto enumerate with the host device.

1 5 3 13 19 7 9 16 18 4 FIG. In use, the data storage devicecan appear, from the perspective of the host device, as two different downstream peripheral devices as illustrated in. That is, the communication interfacecan function as a USB hub. One peripheral device is as a mass data storage device, whereby the host uses the storage mediumto store, read, and write, user content data. The other peripheral device is where the at least one processoremulates a network adapterand an emulated HTTP serverin an emulated network.

20 22 28 5 1 Thus the first communication channeland second communication channelare respective logical pipes, and data from the two channels may pass through a common physical cable set(such as a USB cable) between the host deviceand the data storage device.

1 33 20 9 Thus the data storage deviceis configured to have a first endpoint setto send and receive data transferred through the first communication channelto the network adapter. The data sent through the first communication channel can include security commands, or setup/configuration commands, to the data storage device.

35 22 13 19 22 19 1 13 Furthermore, a second endpoint setis configured to send and receive data transferred through the second communication channelto the mass storage device/ storage medium. The second communication channelis used for sending and receiving user data to the storage mediumof the data storage device(i.e. the mass storage devicefunction).

1 5 5 1 19 19 22 One function of the data storage deviceis to register with the host deviceas a mass data storage device providing the functionality to the operating system of the host deviceof a block data storage device. Data storage deviceincludes a non-transitory storage mediumto store user content data. In some examples, this includes unencrypted user content data. In other examples, the storage mediumstores encrypted user content data. In some examples, the data storage device is a self-encrypting drive where data is encrypted by a cryptography enginediscussed in a separate section below.

19 19 The user content data is the data that a user would typically want to store on a data storage device, such as files including image files, documents, video files, etc. The storage medium may be a solid state drive (SSD), hard disk drive (HDD) with a rotating magnetic disk or other non-volatile storage media. Further, the storage medium may be a block data storage device, which means that the user content data is written in blocks to the storage mediumand read in blocks from the storage medium.

19 8 1 8 The storage mediumincludes a secured partitionto store user data that is selectively accessible when the data storage deviceis unlocked. That is, the secured partitionis only accessible when authentication data has been verified.

19 8 8 19 19 8 8 1 In some examples the storage mediumincludes only a single secured partition(i.e. the single secured partitionexclusively occupies all the storage medium). In other examples, the storage mediummay be divided into multiple secured partitionsthat can enable multiple users to have their own respective secured partitionsin the same data storage device.

19 10 5 17 10 5 28 3 5 10 10 5 22 17 12 5 In further examples, the storage mediummay have a further unsecured partition. By unsecured, this means that a host devicecan read data from the unsecured partition without presenting verified authentication data. In some examples, this is useful for storing data that is freely readable. This can include storing a copy of the web application. Thus in some examples, the further unsecured partitionmay, from the perspective of the host device, appear as a mass storage device that is accessible after the cableis connected to the respective communication interfaces. This can enable the host deviceto request a copy of the web application from the unsecured partition. Subsequently, the web application is sent from the unsecured partitionto the host device, via the second communication channel. The web applicationcan then run on a browserof the host device.

17 10 17 17 10 17 5 In examples where the web applicationis stored in the unsecured partition, it may be advantageous for the web applicationto be write protected. This can include specifically write protecting the web application. In further examples, this can include write-protecting (or otherwise specifying read-only) for the unsecured partition. This can prevent the web application from being inadvertently, or deliberately, deleted or altered. This advantageously enables the web applicationto be easily available to a host device.

17 130 5 20 9 17 7 17 19 5 In one alternative, the web applicationis sentto the host devicevia the first communication channel. That is, sent via the emulated network adapter. In such examples, the web applicationmay be stored in the storage medium and the at least one processoris configured to send the web applicationfrom the storage mediumto the host device.

19 22 19 19 In one example, storage mediumcomprises a cryptography enginein the form of a dedicated and/or programmable integrated circuit that encrypts data to be stored on storage mediumand decrypts data to be read from storage medium

22 3 7 19 152 8 19 22 8 19 5 22 7 5 5 22 22 The cryptography engineis connected between the communication interface/processorand the storage mediumand is configured to use a cryptographic key to encryptuser content data into encrypted data to be stored in the secured partitionof the storage medium. The cryptography enginemay also decrypt the encrypted user content data stored in the secured partitionof the storage mediuminto user data to be sent to the host device. The cryptography enginemay be enabled to perform these functions in response to the at least one processorenabling selective access to the host device. The user content data is sent and received to the host device, via the cryptography engineand the second communication channel.

7 22 7 22 The at least one processorcan function as an access controller and provides, at least in part, the cryptographic key to the cryptography engine. For example the at least one processorprovide the key to the cryptography engine.

7 7 3 7 22 1 FIG. The interface between the at least one processorand the communication interface may be an integrated circuit bus which is useful in case this bus is implemented in existing chips. However, it is possible to use many other communication architectures including bus, point-to-point, serial, parallel, memory based and other architectures. The separation of functionality in dedicated chips as illustrated inis only an example of one implementation. It is possible to combine the functionalities or split the functionalities further. For example, the communication interface may be integrated with the at least one processorinto a single chip with a single core. In other cases, the communication interfaceand the at least one processorcan be integrated with the cryptography engineinto a single dedicated chip with a single core. In other examples, the chips may have multiple cores.

7 26 26 1 The at least one processoris associated with configuration memorystoring software to implement the method described herein. A processor may comprise one or more of microprocessors, microcontrollers, controlling circuitry, or a combination thereof. The one or more processors are, in combination or individually, configured to execute program code stored within the memoryto issue commands for controlling the operation of the data storage device.

7 9 16 20 20 17 12 5 One function of the at least one processoris to emulate a network adapterand server (such as HTTP server), to enable authentication data (and other security or configuration commands) to be received via the first communication channel. In further examples, this includes additional communication through the first communication channelto the web applicationinstantiated at the browserat the host device.

7 20 5 This can include the processorperforming additional communicationwith the host devicethat is associated with authentication, including authenticating as well as enrolling and configuration for future authentication. Additional communication can also include access control, and other configuration of the data storage device. These will be described in further detail below with reference to example methods.

7 8 19 5 22 In some examples, the at least one processoris also involved with access control, including selectively enabling access between the secured partitionof the storage mediumand the host device. In one example, this can include enabling access by sending a cryptographic key to the cryptography enginewhen authentication and/or authorization requirements are satisfied. This may be responsive to, in some examples, receiving valid authentication data from the host devices through the web application.

7 7 In one example, the at least one processormay include a reduced instruction set computer (RISC). In one example, the at least one processoris a Cortex M0 microcontroller from ARM Limited.

26 1 17 16 9 Configuration memorystores data related to configuration of the data storage device. This may include data related to access control (including authentication data set, cryptographic keys), and other configuration parameters. This may include data related to the web application, the HTTP server, and the emulated network adapter.

7 26 17 26 19 7 16 130 5 7 20 Firmware associated with the at least one processormay be stored in the configuration memoryor other non-volatile memory. In some examples, the web application, or part of the web application, may be stored in the configuration memory(that is separate to the storage medium). This may include server-side scripts of the web-application run on the at least one processorto emulate the server. In other examples, this may also include client-side scripts that are sentto the host device, by the at least one processorvia the first communication channel.

19 It is to be appreciated that in some examples, part of the storage mediummay be used to store data as the configuration memory.

Authentication data set

65 1 67 The configuration memory may also include an authentication data set. This may include user identifier(s) and respective password(s) of authorized user(s). The authentication data setmay include records of authentication data, associated with individuals or groups, which are authorized to interact with the data storage devicefor additional functions.

1 The authentication data set may be based on data entered during enrolment of user(s). In other examples, the data storage devicemay be supplied with some authentication data, such as a master password and other authentication data for administrators.

65 1 26 65 19 1 In some examples, the authentication data setis be stored local on the data storage device, such as in configuration memory. In other examples, at least part of the authentication data setmay be stored in the storage mediumin encrypted or unencrypted form. This enables authentication by the data storage devicewithout relying on a network or other external systems.

1 5 28 5 31 Communication between the data storage deviceand the host devicecan be enabled by a physical connection. In the illustrated example, this includes a cablein accordance with the universal serial bus (USB) standards. This can include USB 2.0, USB 3.0, USB4, etc. In this example, the host devicethat is connected to the USB bridgewould see two USB peripheral devices.

28 a. USB-A b. USB-B c. Mini-USB B d. Micro-USB B e. Micro-USB 3.0 f. USB-C g. Thunderbolt 1 h. Thunderbolt 2 In some examples, the USB cablehas ends including one or more of the following connectors:

4 FIG. 9 5 20 24 28 13 5 22 24 28 28 20 22 Referring to, the first device would be the emulated network adapterin communication with the host devicethrough the first communication channel, as a logical pipethrough the USB cable. The second device would be the mass storage devicein communication with the host devicethrough the second communication channel, as a logical pipealso through the USB cable. Thus the one physical USB cablefunctionally carries both logical communication channels,. This can be convenient for a user who can make one physical connection to establish both channels.

5 12 5 Host device The host devicemay include any computing device, electronic device, or electronic computing device that can host a peripheral device and has a web browser. Such host devicescan include desktop computers, laptop computers, tablet computers, cellular phones, televisions, set top boxes, gaming consoles, electronic books (e-reader), etc.

2 FIG. 5 38 39 37 38 26 5 37 5 1 38 Referring to, the host deviceincludes a processor, a memory, and a communication interface. The processormay comprise one or more processors that are, in combination or individually, configured to execute program code stored within the memoryto issue commands for controlling operation of the host device. The communication interfaceenables the host deviceto communicate with the data storage deviceand may further enable the processorto issue commands to the data storage device.

The host device may also include user interfaces, such as a monitor, keyboard, mouse, touchscreen, etc.

39 12 12 The memoryof the host device may be configured to include a web browser application. Generally, the web browseris configured to open web pages in a network environment. In some examples, this includes communicating in a network environment via hypertext transfer protocol (HTTP).

12 17 39 5 1 17 In addition, the web browseris configured to interact with web applicationsor run web applications. This can include running scripts in languages such as HTML, CSS, JavaScript. In some examples, the memoryof the host devicemay receive such scripts and web applications from the data storage devicethat, in turn, are operated in the web browser.

39 32 34 38 9 13 1 b b The memorymay also include drivers,to enable the processorto communicate and operate the emulated network adapterand the mass storage deviceof the data storage device.

1 FIG. 1 5 34 34 32 32 a b a b Referring to, both the data storage deviceand the host deviceinclude respective device drivers. There are two categories: (i) a USB mass storage driver (,) and (ii) Ethernet over USB protocol driver (,).

5 1 Ideally, the device drivers at the host deviceside are generic drivers that are provided in the operating system of the host device. This can advantageously enable functionality with the data storage devicewithout having the user to install a bespoke driver to use the data storage device.

34 34 a b USB MASS storage Driver,

34 34 a b The USB mass storage driver,may include a driver compatible with USB mass storage device class (e.g. USB MSC, UMS). These are typically drivers that enable a host device to communicate with a USB device that is an external data storage device (such as an external hard drive, external flash drive, solid state drives, memory cards, etc).

Such USB mass storage drivers are provided natively to operating systems of host devices for ease and efficiency.

34 34 22 35 13 a b The USB mass storage driver,enables communication through the second communication channelto send and receive data via the second endpoint setassociated with the mass storage device.

32 32 a b Ethernet Over USB Protocol Driver,(e.g. CDC-NCM)

32 32 a b The Ethernet over USB protocol driver,is a driver configured to enable a host device to communicate with an ethernet connection over a USB link.

34 34 20 33 9 a b The USB mass storage driver,enables communication through the first communication channelto send and receive data via the first endpoint setassociated with the mass storage device emulated network adapter.

Examples of such drivers include NCM (Network Control Model) that is part of CDC (Communication Device Class). Generally, these drivers enable the host device to communicate with other networked devices over HTTP.

The CDC-NCM is a part of the USB class drivers standard that provides a method for network-capable USB devices to manage network traffic. The NCM effectively bridges network data traffic at higher speeds over a USB interface, enabling USB network devices to reach closer to their full speed capabilities. CDC-NCM is implemented as part of the USB standard and it is to be appreciated that in addition to USB revisions (such as USB 2.0, 3.X and USB4), further revisions of USB standards may also utilize CDC-NCM suitable for the presently disclosed method and data storage device.

5 Advantageously, CDC-NCM is included in many contemporary operating systems of host devices.

Compared to other Ethernet over USB drivers, CDC-NCM has efficiency in handling high-speed data transfers and its broad compatibility with various devices and operating systems. CDC NCM provides a balance of performance and reliability for network communication over USB.

It is to be appreciated that other Ethernet over USB drivers and systems could be used, such as RNDIS (Remote Network Driver Interface Specification offered by Microsoft), Ethernet Control Module (ECM), Ethernet Emulation Model (EEM).

1 FIG. 36 32 16 a Referring to, a lightweight IP (lwIP)provides a TCP/IP protocol layer implementation between the Ethernet over USB protocol driverand emulated HTTP server.

36 1 1 32 36 36 5 a The lwIPmay be a customised layer for the data storage device. Advantageously, lwIP is used for memory constrained devices as it provides the networking layer, TCP/IP implementation, and web server to implement a web-application-based interface for authentication and other security commands for the data storage device. Since there the USB protocol driver(such as an NCM driver) is below the lwIP, it is possible to use customised lwIPwithout having to use specialised drivers or other software or firmware at the host deviceto translate the data.

48 49 12 16 The TCP/IP (Transmission Control Protocol/Internet Protocol) stack is a lower-level layer that underlies HTTP. It ensures data packets are properly routed across networks, provides error-checking and reliability, and handles IP addressing and port management. From the user and host device perspective, when using HTTP, this operates over the TCP/IPstack to transmit data between the browserand the web server/HTTP server.

36 16 5 1 17 20 The lwIPcan also provide a simple HTTP serverto enable the host deviceto communicate to the data storage devicevia the web application. This includes transmitting and receiving data, via the first communication channel, in accordance with Transmission Control Protocol (TCP) or User Datagram Protocol (UDP).

16 17 16 17 5 20 In some examples, the emulated HTTP servermay host the web application. This may include server-side scripts (like Python, PHP or ASP). In some examples the HTTP serveris configured to send the web applicationto the host devicevia the first communication channel.

1 FIG. 9 32 36 16 7 9 a Referring to, the example emulated network adapteris emulated by a combination of the driver, lwIPand emulated HTTP server. It is to be appreciated that alternative computer-implemented methods in software and/or firmware could be used to enable the processorto emulate another example of an emulated network adapter.

17 12 17 5 16 17 12 5 17 16 5 12 The web applicationmay be instantiated at a browserof the host device. In some examples, the web applicationis a client-side script running on the host device(where the host device is a client of the emulated HTTP server). In other examples, the web applicationruns, at least in part, as a server-side script running at the emulated HTTP server where the browserat the host deviceoperates as a terminal. It is to be appreciated in some examples, the web applicationmay be distributed where execution of the program is performed at both the data storage device (hosting the emulated HTTP server) and at the host device(with the browser).

17 12 5 12 5 1 The use of a web applicationin a browserincreases flexibility and ease of use as many host devicesinclude a browser. This can enable host devicesusing various operating systems to use the data storage devicewithout having to install a proprietary drivers or other applications.

17 In some examples, the web applicationcomprises, at least in part, hypertext markup language (HTML). This can include HTML5. In other examples, the web application can be based on CSS (Cascading Style Sheets), JavaScript, etc. In other examples, the web application includes server-side scripts (e.g. PHP (Hypertext Preprocessor) or ASP (Active Server Page)). In some examples, Flask (a Python-based web framework) is used to build the server-side web application.

3 FIG. 5 6 FIGS.and 7 11 FIGS.to 100 69 5 17 12 69 5 An example of a process of establishing communication with the host device will now be described.shows a flow diagram of the method.illustrate a user interfaceof the host deviceduring communicative coupling.are representations of the web applicationin a browserthat is shown at a user interfaceof the host device.

5 1 28 3 37 The process includes communicatively coupling the host devicewith the data storage deviceand part of this process includes connecting the cablebetween the respective communication interfaces,.

31 5 9 13 4 FIG. The USB (universal serial bus) bridgeenumerates with the host devicesuch that there are two peripheral devices, namely a network adapterand a mass storage deviceas illustrated in.

9 110 5 20 20 32 32 69 18 20 32 32 a b a b. 5 FIG. The network adapter(as an emulated network adapter) is established by communicatively couplingwith the host devicevia the first communication channel. This first communication channelis enabled by the Ethernet over USB protocol driver,.illustrates a user interfaceshowing the connected networks, including the emulated networkusing the first communication channeland Ethernet over USB protocol driver,

5 10 19 1 10 13 5 1 10 17 10 1 17 In some examples, the process includes communicatively coupling with the host deviceto enable access to an unsecured partitionof the storage mediumof the data storage device. This can include access to the unsecured partitionas a mass storage devicethat can be read by a host devicewithout having to unlock the data storage device. This unsecured partitionis used to store shared data, such as a copy of the web application. In other examples, the unsecured partitionmay be used to store user instructions, hyperlinks, or other information to assist the user to initialise or otherwise use the data storage deviceand web application.

6 FIG. 69 10 10 17 17 17 130 10 5 22 illustrates an example of the user interfacebrowsing the unsecured partitionof the storage medium and where the unsecured partitionstores a copy of the web application(named “Unlock_Drive.html”). The operator may select the web applicationso that the web applicationis sent′ from the unsecured partitionto the host devicevia the second communication channel.

17 10 19 17 10 In some examples, the web applicationis stored in the unsecured partitionof the storage mediumof the data storage device is read-only and/or write protected. This can prevent deleting or otherwise compromising the web application. In further examples, the unsecured partitionis read-only.

17 12 5 17 Thus the web application, which in this case is in the form of an HTML script, is opened using a browser applicationof the host device. This can include running the applicationas a predominately client-side web application.

17 16 17 12 20 9 12 17 In another example, the web applicationis hosted at the emulated HTTP serverand the web applicationis accessed by the browservia the first communication channeland the emulated network adapter. This can include entering a URL (uniform resource locator) at the browserto request, or otherwise access, the web application.

16 125 17 130 17 5 17 20 The emulated HTTP server, in response to receivinga request to access the web application, sendsthe web applicationto the host device. This includes sending (at least in part) the web applicationvia the first communication channel.

17 19 10 16 17 5 17 26 26 19 In some examples, the web applicationmay be stored in the storage medium. This may include the unsecured partitionas noted above, wherein the emulated HTTP serverin turn sends the web applicationto the host device. In other examples, the web applicationis stored in a further memory(such as memory) separate to the storage medium.

17 16 17 5 17 12 In some examples, the web applicationis run, at least in part, at the server-side (i.e. at the emulated HTTP server). A representation of the web applicationis, in turn, sent to the host device. This enables a user to interact with the web applicationat the browser.

17 5 17 17 In yet other examples, the web applicationmay be received at the host devicevia other means. One variation includes downloading the web application, via a network, such as the internet. This can include a server (including a cloud server) that has the web applicationavailable for download.

17 39 5 17 10 In another example, the web applicationis stored in the memoryof the host device. This can include a previously downloaded copy of the web applicationfrom the internet, or a previously received copy of the web application from the unsecured partition.

7 FIG. 17 12 71 61 illustrates a representation of an instantiation of the web applicationat the browser. This include a promptto enable a user to enter authentication data, such as a password. In some examples, this can also include a username which can be useful where the data storage device is enabled for multiple users.

61 20 140 1 61 The authentication datais then transmitted, via the first communication channel, and receivedat the data storage device. The authentication data, in some examples, is transmitted in accordance with TCP and/or UDP protocols.

1 150 61 63 65 63 26 The data storage deviceverifiesthat the received authentication datacorresponds to a recordin an authentication data set. This can include comparing the received authentication data to recordssaved during enrolment of user(s). The authentication data set may be stored in the configuration memory.

150 61 63 100 160 5 8 19 22 In response to verifyingthe authentication datacorresponds to a valid record(such as an authorized user), the methodincludes selectively enabling accessbetween the host deviceand a secured partitionof the storage mediumvia the second communication channel.

8 13 13 9 10 8 In some examples, this includes making the secured partitionavailable part of the mass storage device. In alternative examples, this can include enumerating a further mass storage device(such that from the host device perspective there are three peripheral devices being: the emulated network adapter, a mass storage device for the unsecured partition, and another mass storage device for the secured partition).

5 1 8 19 8 13 12 17 8 28 1 17 From the host deviceperspective, once the data storage deviceis unlocked such that access is enabled to the secured partitionof the storage medium, the secured partitioncan be used as mass storage device. In some examples, it is not necessary for further interaction with the browseror web applicationduring the same session to access the secured partition. In some examples, the session ends, and the drive is automatically locked again if the cableis disconnected. In other examples, the session ends when the data storage deviceis locked via the web application(discussed in a separate section below).

160 8 1 23 100 151 5 152 23 153 8 19 5 155 8 156 23 100 157 5 22 12 FIG. In some examples, enabling accesscan include enabling access to encrypted user data stored in the secured partition. This can have particular application to examples where the data storage deviceis a self-encrypting drive (SED). This can be enabled by a cryptography engineconfigured to encrypt and decrypt user data. Referring to, the methodmay include receivinguser data from the host deviceand, in response encryptingthe user data to encrypted data with the cryptography engine. The encrypted user data is the storedin the secured partitionof the storage medium. When the authenticated host devicerequests the user data, this include receivingencrypted user data stored in the secured partitionand, in response decryptingthe encrypted user data to user data with the cryptography engine. The methodfurther includes sendingthe user data to the host devicevia the second communication channel.

1 1 28 1 5 The data storage devicemay be selectively locked. In some examples, the data storage devicemay be configured to automatically lock the device when the cableis disconnected to from either the data storage deviceand/or host device. In further examples, the data storage device is configured to lock the device after a specified time of inactivity. For example, if no read/write/erase activity occurs for for 15 minutes, 30 minutes, 1 hour, etc.

17 8 17 73 73 20 1 1 5 8 8 a FIG.() In yet further examples, the web applicationincludes an option for a user to lock secured partition. Referring to, after a user has unlocked the drive the web applicationdisplays a representation with a graphical user interface iconto lock the drive. Upon selecting the icon, this sends a lock command via the first communication channelto the data storage device. In response, the data storage devicedisables access between the host deviceand the secured partitionof the storage medium.

75 20 17 8 b FIG.() In some examples, a confirmation messageis sent, via the first communication channel, to the host device that is displayed in the web applicationas illustrated in.

9 a FIG.() 61 17 61 61 5 1 7 61 65 7 17 61 illustrates an example of enrolling a user and their corresponding password as authentication data. This includes a prompt for a user to enter their desired passwordin the web application. Although this example only includes a password, it is to be appreciated that a user identifier in conjunction with a password can form the authentication data. The desired authentication datais then sent from the host deviceto the data storage device, wherein the processing devicestores the authentication dataas part of the authentication data set. In some examples the processor, or the instantiated web application, may check the desired authentication data before storing it. This may include checking that the authentication datais properly formed and meets requirements such as minimum length and/or complexity.

77 1 17 9 b FIG.() Upon successful enrolment of the authentication data, a notificationmay be sent from the data storage deviceto be displayed at web applicationin the browser as shown in.

1 8 In some examples, multiple passwords (e.g. multiple records in the authentication data set) can be stored in the data storage deviceto enable multiple users to have access to the secured partition.

61 79 81 1 17 61 61 61 61 1 61 61 80 17 12 7 FIG. 10 a FIG.() 10 b FIG.() In further examples, a passwordmay be removedor reset.illustrates these selectable options during unlocking of the data storage device.illustrates an example of the web applicationproviding an interface for a user to enter their existing passwordand reset it with a new password′ as authentication data. The authentication data,′ is then sent to the data storage deviceand upon verifying the existing password, the new password′ can be stored as part of the authentication data set. A notificationof successful reset is sent to a representation of the web applicationin the browseras shown in.

11 a FIG.() 11 b FIG.() 17 79 61 8 62 1 63 65 82 17 illustrates an example of the web applicationproviding an interface for removinga password″. This may be useful in cases where there are multiple passwords for multiple enrolled users, and it is desirable to remove one of the passwords if one of the users should no longer have access to the secured partition. The authentication data″ to be removed is then sent to the data storage deviceand upon successful removal of the respective recordfrom the authentication data set, a notificationis sent to a representation of the web applicationin the browser as shown in.

1 5 20 The above described commands are security commands and these are sent and received between the data storage deviceand the host devicevia the first channel. This can include securely sending these security commands over HTTP and enabled by the TCP and UDP protocols at the lwIP.

The present disclosure includes using a web-based interface accessed through a web browser to manage a data storage device, such as a USB drive. Users can perform actions like locking and unlocking the data storage device's content stored in the storage medium securely through this interface.

1 100 Examples of the presently described data storage deviceand methodcan offer cross-platform compatibility. Instead of requiring operating system specific applications (e.g. an application for each of Windows, MacOS, and other operating systems) and drivers, the web-based interface can be accessed from any platform (host device) with a web browser.

In addition, there is reduced complexity. By removing operating system specific applications can streamline USB drive management for both end-users and information technology administrators. This includes reducing or removing the requirement to maintain different software versions or worry about compatibility issues with different operating systems.

In some examples, this described data storage device and method enhances security. This can include leveraging browser security features such as sandboxing and HTTPS (HTTP Secure) to provide a secure environment for USB drive management and protecting data from unauthorized access and threats.

In some examples, the method and data storage device users CDC NCM drivers for sending security commands between data storage device and the host device. Advantageously, the CDC NCM driver is supported by major operating systems and by a wide range of USB host devices. This assists in compatibility with a wide range of hardware and software.

1 2 FIGS.and 20 22 28 20 28 22 34 b In the example illustrated in, the first communication channeland the second communication channelare carried through a shared physical cable. It is to be appreciated that in one alternative, the first communication channelis carried via a cable. However, the second communication channelis via an alternative means, such as via Wi-Fi. That is, the mass storage driveris configured to send and receive user data via a wireless Wi-Fi network.

It will be appreciated by persons skilled in the art that numerous variations and/or modifications may be made to the above-described embodiments, without departing from the broad general scope of the present disclosure. The present embodiments are, therefore, to be considered in all respects as illustrative and not restrictive.